Article Number
000039695
Applies To
RSA Product Set: RSA NetWitness Platform
RSA Product/Service Type: Core Appliance
RSA Version/Condition: 11.4.x / 11.3.x
Platform: CentOS
O/S Version: 7
RSA Product/Service Type: Core Appliance
RSA Version/Condition: 11.4.x / 11.3.x
Platform: CentOS
O/S Version: 7
Issue
In Netwitness version 11.4 below, sometimes you may see Meta Overflown alarm of tcp.srcport or tcp.dstport on H&W as shown below.
Image description
By default, valueMax of tcp.srcport is defined to 65536 as follows in index-concentrator.xml.
In theory, the port range is between 0~65535, so the max value can be 65536 depending on the customer's data or any custom parsers customer have.
You may observe "Metakey max capacity reached" messages in /var/log/messages as well.
This warning message is basically telling that the maximum capacity has reached and it will not take any new values.
But it doesn't mean that there are more values in this case.
For your information, you can monitor specific meta values inside index slices by using inspect in concentrator service.
Image descriptionBy default, valueMax of tcp.srcport is defined to 65536 as follows in index-concentrator.xml.
# grep "tcp.srcport" /etc/netwitness/ng/index-concentrator.xml
<key description="TCP Source Port" name="tcp.srcport" format="UInt16" level="IndexValues" valueMax="65536">
<aliases copyFrom="tcp.srcport"/>
<keyref name="tcp.srcport"/>
<keyref name="tcp.srcport"/>In theory, the port range is between 0~65535, so the max value can be 65536 depending on the customer's data or any custom parsers customer have.
You may observe "Metakey max capacity reached" messages in /var/log/messages as well.
This warning message is basically telling that the maximum capacity has reached and it will not take any new values.
But it doesn't mean that there are more values in this case.
For your information, you can monitor specific meta values inside index slices by using inspect in concentrator service.
# NwConsole -c login localhost:50005 admin netwitness -c timeout 0 -c /index inspect key=tcp.srcport allSlices=True summarizeAllValues=True >> /root/tcp_sourceport.jsonResolution
Port range between 0 to 65535 is actually 65536 unique values.
Therefore, you need to change valueMax of tcp.srcport to 65537 to resolve this issue.
In spite of the data type(UInt16), the valueMax can be set for this key and it won't create any problems.
In Netwitness version 10.5 above, this value is set to 65537 by default.
Therefore, you need to change valueMax of tcp.srcport to 65537 to resolve this issue.
In spite of the data type(UInt16), the valueMax can be set for this key and it won't create any problems.
In Netwitness version 10.5 above, this value is set to 65537 by default.
# grep "tcp.srcport" /etc/netwitness/ng/index-concentrator.xml
<key description="TCP Source Port" name="tcp.srcport" format="UInt16" singleton="true" level="IndexValues" valueMax="65537">
<aliases copyFrom="tcp.srcport"/>
<keyref name="tcp.srcport"/>
<keyref name="tcp.srcport"/>In this article
